In this latest podcast from our cybersecurity series, Associate Director Vince Dasta breaks down some common misconceptions around cyber risk quantification (CRQ) and suggests ways companies can get insights through quantitative analysis of available data, even in imperfect data environments. Full transcript below.
Powerful Insights – Cyber Risk Quantification
In-Depth Interview with Vince Dasta [transcript]
Kevin Donahue: Hello. This is Kevin Donahue with Protiviti, welcoming you to a new edition of Powerful Insights and our series on cyber security awareness. Protiviti has a series of webinars on cyber security awareness that, along with these accompanying podcasts, are intended to highlight ways organizations can be proactive in addressing these critical security challenges. We explore how leaders can dynamically build cyber resilience while maximizing value.
In this series, I’m talking to our cyber security leaders who are speaking on our webinars and are in the market, working with organizations addressing these challenges. Our webinar content, as well as other cyber security thought leadership we’ve published, is available at protiviti.com/security.
With that, I’m pleased to introduce my guest today, Vince Dasta. Vince is an associate director with our Security and Privacy practice based out of Chicago. He has been participating in these webinars and, as I mentioned, is in the market on a daily basis, working with our clients on their various cyber security challenges and how to address them.
Vince, thanks for joining me today.
Vince Dasta: Yes. Thanks for having me. Great to be here.
Kevin Donahue: So, Vince, to get started, let me just ask you a real general, get-to-know-you question. How would your parents describe what you do for a living?
Vince Dasta: Great question. I think that the easiest way to describe what I do is that I help companies use data to make decisions through quantitative analysis and using the data they have access to to inform a business decision at the end of the day. How do they do that? How do they build the programs around that, and how they process that data?
Kevin Donahue: That makes sense. Yes, great rundown.
Vince Dasta: Yes.
Kevin Donahue: Vince, you focus on and specialize in, within cyber security, this realm called cyber risk quantification.
Vince Dasta: Yes.
Kevin Donahue: Why is this field so important?
Vince Dasta: I think cyber risk quantification, probably over the last couple of years, has become a huge area of focus for a lot of companies. I think why it’s so important today is that the companies are starting to realize that the way that they manage their cyber security landscape needs to evolve, and that there’s a lot of data that they have access to.
They have a lot of tools out there in the environment and a lot of information, but most companies up to this point have probably struggled to turn that data into usable information that helps them make decisions about the way that they manage their program and understand the risk to their organization. Being able to do that in business terms – the way they would look at any other type of enterprise risk, I think – is something that companies are starting to realize is possible, and there’s a lot of interest in doing that now coming from the top all the way down, from the board of directors all the way to the practitioners that have to do this every day.
Kevin Donahue: Vince, in thinking about the data that’s available and the process you’ve just described, what are some of the common myths that you think are in this field or that you maybe hear about from companies that you have to debunk?
Vince Dasta: Yes. I think the themes that come up most often are that, to do this type of risk quantification or to get valuable insight out of the data that they have, you have to have a lot of data to begin with. Then, that data has to be very complete, and it has to be of a certain type of quality to be useful in making these types of decisions.
The reality of the facts is that you actually need a lot less data than you probably think because there are very easy-to-use and commonly accepted statistical tools and practices out there that let you draw a lot of insight from very little data, and even data that’s incomplete or maybe of poor quality, by the traditional means. When I work with companies, I think the important thing to realize is that just making observations and observing the information that you can glean from your data in relatively straightforward ways actually has a lot of value in reducing the level of uncertainty that you have about the landscape.
An example of that is that if your answer today is, “I have no idea about a particular issue or a problem,” well, just a very simple observation, just using various straightforward and available data without any kind of processing or big data machine learning algorithms or anything like this, just making a simple observation can reduce that “I don’t know” down to a reasonable range, right? Then, that first observation helps you reduce uncertainty significantly and can help you figure out where you can get other sources of data and what may be available within your environment that you just didn’t know about.
At the end of the day, I think the common misconception that most of my clients have is that their problem is the data, but the reality is, it’s typically not. Companies have access to lots of data. That data can be used in very valuable ways with very basic statistics that let me get a lot of information out.
Kevin Donahue: Vince, that’s really interesting because I’ve heard that around not just cyber security but also around other issues – that data governance, data management and quality of data is critical. So, you’re saying it’s not this insurmountable hurdle when it comes to cyber risk quantification.
Vince Dasta: Yes, that’s right. I’d be curious to know – most people have used this term statistical significance, right? They say that there is not a statistically significant amount of data that they can draw conclusions from. The reality is, most of the people that say that have never actually done that analysis, right? “Statistically significant” is a very specific term that means a very specific thing. When most companies say that the data they have isn’t statistically significant, they’re not doing that analysis and they’re not calculating the value of more information and going through those processes.
Like we said, we use these statistical methods. Statistics is based on drawing insights out of incomplete data, right? So, the idea that you don’t have enough is typically incorrect. The reality, I think, is that once you start to look at this, even taking a small sample, the goal of this, again, is to reduce uncertainty. If I can take a small sample of a population and understand what that looks like, there are tools that I can use to infer what the population as a whole looks like, for example. What that allows me to do is to use data in a way that it is designed for, rather than assume that I have to have a complete set all the time, right?
That is a little bit different than data governance and some of these other fields, but if we’re trying to make decisions with data and trying to use data to inform our program, you can do a lot with a little, and I think most companies just don’t know where to start in the beginning to identify what the little is that they have.
Kevin Donahue: Data should not be this big, overwhelming challenge for organizations. So then, Vince, what would you say is the biggest challenge facing companies or your clients right now in this area?
Vince Dasta: I think one of the challenges that we see that probably is the biggest is that most companies probably start this process from the wrong angle, right? They start from the bottom up and they say, “What data do we have?” Then, “What can we do with that data that’s out there,” right? The challenge is that when you do that, if you don’t know what the questions you’re trying to answer are, it’s very hard to determine how to answer them, right?
I would say the challenge that most companies that I see that are working on these data projects or metrics projects around security is, they’re not starting with the question that they’re trying to answer in mind. At the end of the day, it’s very easy to jump into the fancy tools that we have and the repositories and the data lakes and the SIEMs and all the tools that are out there and start to figure out, “What can we do with this information or with this data?” The better approach to that, I think, that companies are doing as well is, they’re starting at the top and they’re saying, “What’s the question that I’m trying to answer? What are the indicators that are going to help me answer that question? Then, what’s the data that I need to inform those indicators and the measures and the metrics that make that up?”
If you take that approach, like I said before, you can be very creative in understanding what’s out there and how to answer that question, how to reduce uncertainty, which you just can’t do if you’re trying to blow it up from the bottom and draw insights out of it that way.
Kevin Donahue: Now, Vince, my next question, I’m going to guess, is different – there’s a different response to what you just described. My question is, what’s the one question you are asked about most often by companies interested in this field, and how do you answer it? I’m guessing it’s not necessarily about data.
Vince Dasta: Right. Yes. I think it probably aligns more to the second point. I think the question that I probably get asked most often is, “What are the metrics that matter? What metrics should I be looking at or collecting for my security program?” I think the thought process behind that question stems more from that first example of “What metrics should I be collecting? What data do I need to do that?”
The reality of most situations is that it’s not about “What metrics I should be collecting?” It’s about “What questions am I trying to answer?” – right? Once I’ve determined what questions I’m being asked – from my board of directors or from my stakeholders or my executives – it’s a lot easier to go down and decompose that question using methodologies like GQIM, which is out there in the public domain, that allow me to distill down from an organizational goal or objective into questions and ultimately determine the data that I need to answer those questions. I think that’s overwhelmingly the question that comes up most often – “What metrics should I be collecting and reporting on?” – right? We usually answer that with “Well, what questions are you actually trying to answer, and who are you answering these questions for?”
Kevin Donahue: Let me switch gears a little bit here. From your own perspective, with respect to cyber risk quantification, and maybe its growth and evolution that’s taken place recently or even over the next few years that you’re anticipating, what are you really curious about right now?
Vince Dasta: Yes. I think one of the things that I’m curious about when I look at this is, where is this going to go, right? If you look at the evolution of this process, over the last couple of years, it’s been about the skill set and the technical side of this. How do you make these measurements, and how do you report on these things and the tools that are out there?
I think there has been a lot of evolution in that space over the last few years, but what is interesting to me, and what I’m curious about, is, how are companies going to start using this data and information to really inform their decisions about the future, rather than just looking at this as an assurance activity or a rear-looking measurement of “How did we do?” I’ve seen a couple of companies that are doing this very well, and they’re incorporating this into their decision-making processes.
I’m really curious to see if that takes off, because I think there is a lot of potential there. It would be a big competitive advantage for most of the companies that are struggling in the space as they look at the landscape that’s out there and try to get ahead and stay ahead of the threats and the cyber security risks that are out there. How do we use these types of methods to make decisions about the future, rather than just looking in the rear or using this as a reporting and assurance function? I think there is a lot of room for innovation in that space, both on the technology side as well as the business side. I’m really excited to see where that goes.
Kevin Donahue: Vince, that makes sense because our firm, Protiviti, has done studies showing that the board is more engaged than ever in cyber security issues, information security issues. I would imagine that their interest is not around taking a retrospective or assurance-type look, but really more about the future, correct?
Vince Dasta: Yes, that’s right. If you look at the way that most of these conversations happen today and the material that companies are presenting to their boards from a cyber security standpoint, it is all in that, as you mentioned, retrospective or assurance-based – “What are the things that we have done?” and “How are we protecting ourselves over the last year or quarter or month?” and less about “What are we going to do about the future?” and “How is this becoming a business enabler, rather than just an expense that we have to bear a cost to do in business?” I think that’s probably where the most innovation and the most value is going to be in the future.
Kevin Donahue: Vince, it’s been great speaking with you today. I want to ask you one more question, but first, let me remind our audience that you can go and find our webinars and attend them on demand or view them on demand, as well as find other thought leadership content from Protiviti on cyber security issues and such at protiviti.com/security.
Vince, my final question to you is this: Concerning all of the issues we’ve talked about today, the challenges organizations are facing around cyber risk and understanding how to quantify that, what would you say is the most important step, or first step, an organization should take to tackle them?
Vince Dasta: I think that’s a great question. To me, the first step and the step that most companies aren’t taking is, just try it, right? There is a lot of data that’s available. You don’t need special tools. You don’t need PhD quants to do this type of work. I think most companies get into a stage of analysis paralysis, where they start thinking about all of the things and all of the steps that they don’t have and all the tools that they need to buy and the data repositories they need to build, but the reality is that you can make, like I said, very meaningful measurements that reduce uncertainty very significantly with almost no cost and no additional work.
I think most companies should just start and try it and see what they can do with that, then leave the tools in the specialties and everything else as you evolve it, but try to do this today. I think you’d be pleasantly surprised, or most companies would be, in what they can actually draw from the data that they have and the tools that are available on their desktop today.
Kevin Donahue: That’s great to hear, Vince. It should be encouraging to companies to understand that, look, this is not a huge step – the first step – to take. They can get started today.
Vince Dasta: That’s right.
Kevin Donahue: Vince, thanks again very much for joining me. Great speaking with you. Again, I’ll remind our audience to visit protiviti.com/security for more information on our cyber security webinars and other research and content we’ve published. We also encourage you to subscribe to our Powerful Insights podcast series on iTunes or wherever you find your podcast content.